CrowdStrike Details How Infostealers Bypass MFA by Stealing Session Tokens
CrowdStrike outlines the attack chain where infostealers like RedLine and Vidar harvest credentials, cookies, and tokens to bypass MFA and persist access.
CrowdStrike has published a detailed analysis of how infostealer malware compromises identities and sessions, highlighting the growing threat of credential and session token theft. The blog post explains that infostealers such as RedLine, Vidar, and Raccoon Stealer target browsers and endpoints to harvest not only passwords but also cookies, session tokens, and authentication tokens, enabling attackers to bypass multi-factor authentication (MFA) and maintain persistent access to compromised accounts.
The attack chain typically begins with phishing or drive-by downloads that deploy the infostealer on a victim's device. Once installed, the malware extracts stored credentials from browsers, email clients, and other applications. Crucially, it also steals session cookies and OAuth tokens, which allow attackers to impersonate the victim without needing to re-authenticate. This technique effectively neutralizes MFA protections because the session is already validated.
CrowdStrike emphasizes that session token theft is particularly dangerous because it grants attackers immediate access to cloud services, corporate applications, and sensitive data. Even if passwords are rotated or MFA is enforced, stolen session tokens remain valid until they expire or are revoked. This has led to a surge in post-compromise lateral movement and data exfiltration incidents.
To defend against these threats, CrowdStrike recommends a multi-layered approach. Hardware-backed credential isolation, such as using Windows Defender Credential Guard or Apple's Secure Enclave, can prevent malware from accessing stored credentials. Session token binding ties authentication tokens to specific device attributes, making them unusable if stolen. Endpoint detection and response (EDR) solutions can identify infostealer behavior, such as mass file reads or unusual network connections.
The advisory also stresses the importance of regular credential rotation, short session timeouts, and conditional access policies that require re-authentication for high-risk actions. Organizations should monitor for signs of token theft, such as anomalous login locations or simultaneous sessions from different devices.
This analysis comes amid a broader rise in infostealer activity, with malware-as-a-service platforms making these tools widely available. CrowdStrike's guidance provides a practical framework for organizations to reduce the risk of identity compromise and session hijacking, which remain critical vectors in modern cyberattacks.